Version: 5.0

Setting Up Grouping Rules

General Description

One of the tools that allows optimizing the process of responding to incidents and their analysis is incident grouping.

The essence of grouping lies in combining similar incidents that possess identical characteristics into a single group. This allows transitioning from a scattered list of individual events to a more structured representation, identifying patterns, and simplifying situation analysis.

To implement such behavior, it is necessary to set up grouping rules. The rules determine which specific fields of the incident will be used for comparison and subsequent grouping.

Creating Grouping Rules

To access the rules by which incidents will be grouped, go to Main Menu - Incident Manager section - Grouping Rules Setup.

Rules list

At the top of the interface, there is a search bar and filters for convenient rule management, as well as a button for creating new rules.

To create a grouping rule:

Click the Create button at the top of the interface
Fill in the fields in the editor
Click the Save button at the top or bottom of the interface

Rule Editor

The editor consists of 4 sections: Basic, Comparison Fields, Functional Fields, and Additional Fields.

Rule editor

Basic

In the Basic section, the main grouping parameters are filled in:

Name - the name of the rule that will be displayed in the list of rules
Display Name - the name of the incident group in the Incident Manager
Description - description of the incident group

The fields Displayed Name and Description support tokenization. Tokens are available that contain information about the grouping result:

comparison_fields - indicates which field from the Comparison Fields section was used for grouping
function_fields - displays the results of function calculations applied to fields from the Functional Fields section
aggregation_info - stores information about the grouping settings, including the name of the current configuration
incidents_count - shows the total number of incidents combined into this group
Workflow - the workflow that will be used for the group
Closure Statuses - statuses that will be used to close the group
Criticality - the importance level of the incident group
Search Tasks - search tasks that will be used for grouping
Lifetime - the lifetime of the incident group
Maximum Time Between Incidents - the maximum time between incidents for grouping

Comparison Fields

In the Comparison Fields section, you can set comparison parameters for grouping:

Field Name - the final name of the field to be displayed in the aggregation
Search Task - the search task that generates the incident
Value - the name of the field from the incident to be compared. If in the field Search tasks if more than one task is selected, then the name of the field from the incident must be specified for each task. If you need to compare by the field that was included in the incident from the search results in the search task, then add the prefix fields: fields before the field.<Field name>. There is no need to add a prefix for the fields from the incident card

Functional Fields

In the Functional Fields section, you can configure calculations in the group.

Field Name - the final name of the field to be displayed in the aggregation
Function - the function that will be applied to the field from the incident The following functions are currently supported:
- MAX, MIN, SUM, VALUES, AVG, EARLIEST, LATEST
Search Task - the search task that generates the incident
Value - the name of the field from the incident to be compared. If in the field Search tasks if more than one task is selected, then the name of the field from the incident must be specified for each task. If you need to compare by the field that was included in the incident from the search results in the search task, then add the prefix fields: fields before the field.<Field name>. There is no need to add a prefix for the fields from the incident card

Using fields from this section is convenient, for example, when you need to specify in the group card which hosts were mentioned in all incidents of the group.

Additional Fields

In the Additional Fields section, you can set additional incident parameters that are changed in the module settings.

Editing Grouping Rules

To edit a grouping rule:

In the Grouping Rules table, in the Actions column, click the ... button
Select the Edit action
Make changes in the Rule Editor
Click the Save button at the top or bottom of the interface

Enabling and Disabling Grouping Rules

To enable and disable grouping rules:

In the Grouping Rules table, in the Actions column, click the ... button
Select the Disable or Enable action

Deleting Grouping Rules

To delete a grouping rule:

In the Grouping Rules table, in the Actions column, click the ... button
Select the Delete action

General Description​

Creating Grouping Rules​

Rule Editor​

Basic​

Comparison Fields​

Functional Fields​

Additional Fields​

Editing Grouping Rules​

Enabling and Disabling Grouping Rules​

Deleting Grouping Rules​